From nobody@FreeBSD.org  Fri Jun 17 13:04:45 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0E87C1065675
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 17 Jun 2011 13:04:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id F309B8FC23
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 17 Jun 2011 13:04:44 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p5HD4isp020571
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 17 Jun 2011 13:04:44 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p5HD4i8q020543;
	Fri, 17 Jun 2011 13:04:44 GMT
	(envelope-from nobody)
Message-Id: <201106171304.p5HD4i8q020543@red.freebsd.org>
Date: Fri, 17 Jun 2011 13:04:44 GMT
From: Ike McCreery <ihmccreery@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 'BSM conversion requested for unknown event' generated by audit
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         157946
>Category:       kern
>Synopsis:       [openbsm] [patch] 'BSM conversion requested for unknown event' generated by audit
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 17 13:10:09 UTC 2011
>Closed-Date:    
>Last-Modified:  Sun May 04 04:09:22 UTC 2014
>Originator:     Ike McCreery
>Release:        8.2
>Organization:
Oberlin College Computer Science
>Environment:
FreeBSD hostname.host.extension 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
Running FreeBSD with auditing turned on, and flags and naflags both set
to 'all' (in /etc/security/audit_control).  I'm getting two very similar
messages:

   BSM conversion requested for unknown event 43143

and

   BSM conversion requested for unknown event 43196

The first occurs whenever I ssh into the server (which succeeds), and
the second crops up when doing ls -l.  I and some coworkers have looked
through the source, and it seems that both are occuring because syscalls
are falling through in /sys/security/audit/audit_bsm.c (from the source).
Neither number nor its label as defined in /etc/security/audit_event
(43143=AUE_CLOSEFROM and 43196=AUE_LPATHCONF) show up in a search of
audit_bsm.c.
>How-To-Repeat:
Configure auditing as follows in /etc/security/audit_control:

dir:/var/audit
flags:all
minfree:5
naflags:all
policy:all
filesz:2M
expire-after:10M

Turn on auditing by running '/etc/rc.d/auditd start'.

Running 'ls -l' should give an error (43196), as should ssh-ing into
the machine (43143).
>Fix:
It seems that the source in /sys/security/audit/audit_bsm.c prints this
message if an audit request falls through (to line 1585) in the big switch
statement in the file.  Perhaps it is missing these two cases.

>Release-Note:
>Audit-Trail:

From: Efstratios Karatzas <gpf.kira@gmail.com>
To: bug-followup@freebsd.org
Cc: "I. H. McCreery" <ihmccreery@gmail.com>
Subject: Re: misc/157946: 'BSM conversion requested for unknown event'
 generated by audit
Date: Fri, 17 Jun 2011 23:43:39 +0300

 --0016363b8f88c330ea04a5ee70c9
 Content-Type: multipart/alternative; boundary=0016363b8f88c330e404a5ee70c7
 
 --0016363b8f88c330e404a5ee70c7
 Content-Type: text/plain; charset=UTF-8
 
 Hello.
 
 This issue was fixed in HEAD a year ago but still applies to the 8 src tree.
 This patch should fix the problem. I hope Ike is up for testing it before we
 go bugging someone (rwatson@?) to take a look at it.
 
 Cheers
 
 -- 
 
 Efstratios "GPF" Karatzas
 
 --0016363b8f88c330e404a5ee70c7--
 --0016363b8f88c330ea04a5ee70c9
 Content-Type: application/octet-stream; name="patch_a.diff"
 Content-Disposition: attachment; filename="patch_a.diff"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_gp1llibh0
 
 LS0tIGF1ZGl0X2JzbV9vcmlnLmMJMjAxMS0wNi0xNyAyMzoyODo0My4wMDAwMDAwMDAgKzAzMDAK
 KysrIGF1ZGl0X2JzbS5jCTIwMTEtMDYtMTcgMjM6MzI6NDcuMDAwMDAwMDAwICswMzAwCkBAIC03
 NDAsNiArNzQwLDcgQEAKIAljYXNlIEFVRV9MVVRJTUVTOgogCWNhc2UgQVVFX05GU19HRVRGSDoK
 IAljYXNlIEFVRV9MU1RBVDoKKwljYXNlIEFVRV9MUEFUSENPTkY6CiAJY2FzZSBBVUVfUEFUSENP
 TkY6CiAJY2FzZSBBVUVfUkVBRExJTks6CiAJY2FzZSBBVUVfUkVWT0tFOgpAQCAtODQyLDYgKzg0
 MywxMyBAQAogCQlVUEFUSDFfVk5PREUxX1RPS0VOUzsKIAkJYnJlYWs7CiAKKwljYXNlIEFVRV9D
 TE9TRUZST006CisJCWlmIChBUkdfSVNfVkFMSUQoa2FyLCBBUkdfRkQpKSB7CisJCQl0b2sgPSBh
 dV90b19hcmczMigxLCAiZmQiLCBhci0+YXJfYXJnX2ZkKTsKKwkJCWthdV93cml0ZShyZWMsIHRv
 ayk7CisJCX0KKwkJYnJlYWs7CisKIAljYXNlIEFVRV9DT1JFOgogCQlpZiAoQVJHX0lTX1ZBTElE
 KGthciwgQVJHX1NJR05VTSkpIHsKIAkJCXRvayA9IGF1X3RvX2FyZzMyKDEsICJzaWduYWwiLCBh
 ci0+YXJfYXJnX3NpZ251bSk7Cg==
 --0016363b8f88c330ea04a5ee70c9--

From: "I. H. McCreery" <ihmccreery@gmail.com>
To: Efstratios Karatzas <gpf.kira@gmail.com>
Cc: bug-followup@freebsd.org, Benjamin.Kuperman@oberlin.edu, 
	Luke Lovett <fractalbeach@gmail.com>
Subject: Re: misc/157946: 'BSM conversion requested for unknown event'
 generated by audit
Date: Wed, 22 Jun 2011 09:31:43 -0400

 --90e6ba5bbb1b489ddc04a64cfd14
 Content-Type: text/plain; charset=ISO-8859-1
 
 Alright,
 
 I applied the patch and rebuilt the kernel.  Preliminary testing shows that
 the problems are both fixed: we're no longer getting error messages with `ls
 -l` or with an ssh into the server.
 
 Thanks for the help!
 Ike
 
 --90e6ba5bbb1b489ddc04a64cfd14--

From: Peter DeVries <devriesp@watershedsecurity.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>
Cc: "ihmccreery@gmail.com" <ihmccreery@gmail.com>
Subject: Re: kern/157946: [patch] &#39;BSM conversion requested for unknown
 event&#39; generated by audit
Date: Mon, 23 Jul 2012 12:12:46 +0000

 --_000_C20B95A0A0FA7D488CCF54344E7A0A0B60FA09mbx023w1ca9exch02_
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 I seem to be having this error appearing on a new build of 8.3-RELEASE-p3.
 
 uname shows:
 
 FreeBSD freebsd83.domain 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun =
 12 00:39:29 UTC 2012    root@amd-builder.daemonology.net:/usr/obj/usr/src/s=
 ys/GENERIC  amd64
 
 I'm getting the error for events 43145 and 43196.
 
 Thanks for any assistance.
 
 Peter DeVries
 devriesp@watershedsecurity.com
 
 --_000_C20B95A0A0FA7D488CCF54344E7A0A0B60FA09mbx023w1ca9exch02_--
>Unformatted:
